On Wednesday 22 February the United States and The Netherlands signed a "declaration of intent" on the cooperation on fighting cybercrime. This event was reported by the press as a treaty. At least that is what all Dutch postings I read wrote, with exception of the official website of the Dutch government. So what was actually signed? Reading the news reports some thoughts struck me.

A good thing

Of course up front I declare that the fact that two countries signing a treaty to cooperate, share knowledge and best practices concerning cybercrime, is news of progress in dealing with the cross border difficulties countries and agencies run into on a daily basis.

Cybercrime or security treaty or declaration of intent?

All headlines I've read claim that a cybercrime "treaty" was signed. First I focus on the cybercrime, then the treaty. Even the official communication of the Dutch government mentions cooperation on cybercrime. However looking at the statements of Secretary of Homeland Security Napolitano and Minister Opstelten of Security & Justice I get a different impression. They are quoted that the two countries will focus on cooperation on protecting vital infrastructure, so e.g. in making scada (supervisory control and data acquisition) systems more secure. If this is the case, we are talking cyber security and not cybercrime.

Hacking is mentioned as an example of instances in which forensic investigative best practices can be exchanged, but in relation to vital infrastructure. So, is the reference in the press wrong? Did the minister(y) mix up the two concepts? It does not appear that there is more, as in secret, in the text, as it is only an intent to cooperate.

Next to that hacks of these kind, i.e. on vital infrastructure, are often discussed as potential acts of cyber war. That would make that the topic also surpasses security and moves into the realm of cyber defence. This form of cooperation does not seem intended here.

It also becomes clear that no treaty was signed, but a declaration of intent, so an intention to cooperate. Nothing legally binding. So we will just have to wait what comes from it. The everyday priorities and cross border cybercrime? This combination does not always mix well, I know from experience.

Bilateral versus multilateral treaty

The other comment that I want to make, is that it is a shame that in a cross border environment as cybercrime and cyber security it apparently is still impossible or (too) hard to negotiate a cyber treaty, well declaration of intent, for 27 member states of the EU with the US. The bilateral nature of the declaration means that as soon as there is third country involved in the attack, hack, etc., cooperation ends as the limit of the treaty/intention is reached and it is no longer effective.

Conclusion

This declaration of intent is a not more than a good first step, but the challenges for countries and their national jurisdictions are still stretched beyond what a national jurisdiction can achieve on the Internet as to the topics discussed here. A breakthrough is needed in updating cross border relations. Technological innovation matched by political and diplomatic innovation? It may be a solution.

By Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement. More blog posts from Wout de Natris can also be read here.

Comments

It certainly would not surprise me that a "treaty" to pursue (in the law enforcement sense) and prosecute "hackers" (presumably of the bad type) is perceived by politicians as a form of security. That may be revealing about them, and explain why governments accomplish so little in terms of actual security.

So which country should do what to improve actual security? US exports Microsoft Windows. NL exports NSD. Which country has more work to do?

Hint, I use only NSD from the above list.

This is not to say that law enforcement and prosecution should not be part of the cooperation between these countries. There are indeed many issues they need to work together on, exchange information about. But holding it up as a cyber security solution is entirely misleading.